Hi Viktor
I was recently playing around with oqs-provider[1] for PQC support in openssl,
but couldn't get it to work with Postfix 3.9.0 for TLSv1.3 key exchange.
Specifically, this provider implements new Key Encapsulation Methods like
"x25519_kyber768", which I can use with `openssl s_server -groups`, or with
nginx as `ssl_ecdh_curve`, but not with Postfix in `tls_eecdh_auto_curves`.
Postfix keeps logging:
> warning: ignoring unknown key exchange group "x25519_kyber768"
Looking at the code in src/tls/tls_dh.c, Postfix verifies each group name
in tls_eecdh_auto_curves and tls_ffdhe_auto_groups with OBJ_sn2nid(3), but
so does nginx, which does accept that name. I double checked that postfix
is actually using my openssl.cnf, which is loading the provider, and also
tried setting up explicit `tls_conf_file` and `tls_conf_name` with that
configuration, but I can't get postfix to accept the new key exchanges.
There is no explicit support in Postfix for the standard FFDHE and ECDHE group
names (other than adding them to the default settings), so I'd expect any key
exchange to work, as long as OpenSSL supports it? Is there anything else that
is holding Postfix from using algorithms from an external openssl provider?
Geert
[1] https://github.com/open-quantum-safe/oqs-provider/
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
